Data Processing Agreement - Engage Health Systems

THIS AGREEMENT is made on

BETWEEN:

(1) {INSERT THE DATA CONTROLLER ORGANISATION} (the Controller); and

(2) Engage Health Systems Ltd, registered company number 11668237 of 1a, St Nicholas Court, North Walsham, Norfolk, NR28 9BY (Supplier)

BACKGROUND

(A) The Controller has appointed the Supplier to provide the Services (as defined below) under an agreement dated {INSERT DATE]}(the Supply Agreement)] for the provision of patient facing services.

(B) In performing the Services, the Supplier is required to process certain Personal Data (as defined below). the Controller has agreed to provide such Personal Data to the Supplier for processing only in accordance with the terms of this Agreement from the date on which this Agreement is entered into (the Commencement Date).

(C) To the extent that the Supply Agreement contains any provisions which govern the processing of Personal Data by the Supplier, the parties agree and acknowledge that the provisions of this Agreement shall prevail to the extent of such conflict or inconsistency.

IT IS AGREED as follows:

1 DEFINITIONS AND INTERPRETATION

1.1 The following definitions shall apply in this Agreement:

Controller as defined above and shall take the meaning given in the Data Protection Legislation;

Data Guidance means any applicable guidance, guidelines, direction or determination, framework, code of practice, standard or requirement regarding information governance, confidentiality, privacy or compliance with the Data Protection Legislation (whether specifically mentioned in this Agreement or not) to the extent published and publicly available or their existence or contents have been notified to the Supplier by NHS England and NHS Improvement and/or any relevant Regulatory or Supervisory Body. This includes but is not limited to guidance issued by NHS Digital, the National Data Guardian for Health & Care, the Department of Health, NHS England, the Health Research Authority, Public Health England, the European Data Protection Board and the Information Commissioner;

Data Loss Event means any event that results, or may result, in unauthorised processing of Personal Data held by the Supplier under this Agreement or Personal Data that the Supplier has responsibility for under this Agreement including without limitation actual or potential loss, destruction, corruption or inaccessibility of Personal Data, including any Personal Data Breach.

Data Processing Services means the data processing services described in the Annex to this Agreement;

Data Protection Impact Assessment means an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data;

Data Protection Legislation means (i) the DPA 1998 (ii) the GDPR, the LED and any applicable national Laws implementing them as amended from time to time (iii) the DPA 2018 (iv) all applicable Law concerning privacy, confidentiality or the processing of personal data including but not limited to the Human Rights Act 1998, the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations

Data Protection Officer shall take the meaning given in the Data Protection Legislation;

Data Subject shall take the meaning given in the Data Protection Legislation;

Data Subject Access Request means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data;

DPA 1998 means the Data Protection Act 1998

DPA 2018 means Data Protection Act 2018;

EU means the European Union;

European Data Protection Board has the meaning given to it in the Data Protection Legislation;

GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679)

Information Commissioner means the independent authority established to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals (www.ico.org.uk) and any other relevant data protection or supervisory authority recognised pursuant to the Data Protection Legislation;

Law means any law or subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which the Supplier is bound to comply;

LED means the Law Enforcement Directive (Directive (EU) 2016/680)

Personal Data shall take the meaning given in the Data Protection Legislation;

Personal Data Breach shall take the meaning given in the Data Protection Legislation;

Processor shall take the meaning given in the Data Protection Legislation;

Processing and cognate terms shall have the meaning given in the Data Protection Legislation;

Protective Measures means appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data; ensuring confidentiality, integrity, availability and resilience of systems and services; ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and regularly assessing and evaluating the effectiveness of the such measures;

Regulatory or Supervisory Body means any statutory or other body having authority to issue guidance, standards or recommendations with which the Supplier and/or Supplier Personnel must comply or to which it or they must have regard, including:

(i) CQC;

(ii) NHS Improvement;

(iii) NHS England;

(iv) the Department of Health and Social Care;

(v) the National Institute for Health and Care Excellence;

(vi) Healthwatch England and Local Healthwatch;

(vii) Public Health England;

(viii) the General Pharmaceutical Council;

(ix) the Healthcare Safety Investigation Branch;

(x) Information Commissioner;

(xi) European Data Protection Board;

(xii) NHS Digital

Services means the goods and/or services to be supplied by the Supplier under the Supply Agreement;

Sub-processor means any third party appointed to process Personal Data on behalf of the Supplier related to this Agreement;

Supplier Personnel means any and all persons employed or engaged from time to time in the provision of the Services and/or the processing of Personal Data whether employees, workers, consultants or agents of the Supplier or any subcontractor or agent of the Supplier.

Working Day means a day other than a Saturday, Sunday or bank holiday in England

1.1.1 reference to any legislative provision shall be deemed to include any statutory instrument, bye law, regulation, rule, subordinate or delegated legislation or order and any rules and regulations which are made under it, and any subsequent re- enactment, amendment or replacement of the same;

1.1.2 the Annex forms part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annex; and

1.1.3 references to clauses and Annexes are to clauses and Annexes to this Agreement.

2. SCOPE OF THIS AGREEMENT

2.1 In consideration of the sum of £1 (receipt of which the Supplier expressly acknowledges) and in consideration of the Controller agreeing to provide or procure the provision of Personal Data to the Supplier, the parties have agreed that:

2.1.1 from the Commencement Date, the terms of this Agreement will apply to and govern all processing of Personal Data by the Supplier pursuant to the Supply Agreement; and

2.1.2 this Agreement is supplemental to the Supply Agreement and, in the case of conflict or inconsistency between any of the provisions of this Agreement and the provisions of the Supply Agreement, the provisions of this Agreement shall prevail to the extent of such conflict or inconsistency.

3. PROCESSING OF PERSONAL DATA

3.1 The Parties acknowledge that for the purposes of the Data Protection Legislation and the delivery of the Data Processing Services, the Controller is the Controller and the Supplier is the Processor.

3.2 The Supplier shall notify the Controller immediately if it considers that any instructions infringe the Data Protection Legislation.

3.3 The Supplier shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include:

3.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;

3.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Data Processing Services;

3.3.3 an assessment of the risks to the rights and freedoms of natural persons; and

3.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.

3.4 The Supplier shall provide all reasonable assistance to the Controller if the outcome of the Data Protection Impact Assessment leads the Controller to consult the Information Commissioner.

3.5 The Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement :

3.5.1 process that Personal Data only in accordance with the instructions set out in the Annex, unless the Supplier is required to do otherwise by Law. If it is so required the Supplier shall promptly notify the Controller before processing the Personal Data unless prohibited by Law.

3.5.2 ensure that it has in place Protective Measures to protect against a Data Loss Event having taken account of the:

3.5.2.1 nature of the data to be protected;

3.5.2.2 harm that might result from a Data Loss Event;

3.5.2.3 state of technological development; and

3.5.2.4 cost of implementing any measures.

3.5.3 ensure that:

3.5.3.1 the Supplier Personnel do not process the Personal Data except in accordance with this Agreement (and in particular the Annex)

3.5.3.2 it takes all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that they:

3.5.3.2.1 are aware of and comply with the Supplier’s duties under this clause;

3.5.3.2.2 are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor that are in writing and are legally enforceable;

3.5.3.2.3 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in advance and in writing to do so by the Controller or as otherwise permitted by this Agreement.

3.5.3.2.4 have undergone adequate training in the use, care, protection and handling of Personal Data that enables them and the Supplier to comply with their responsibilities under the Data Protection Legislation and this Agreement. The Supplier shall provide the Controller with evidence of completion and maintenance of that training within three Working Days of request by the Controller.

3.5.4 not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:

3.5.4.1 the Controller or the Supplier has provided appropriate safeguards in relation to the transfer as determined by the Controller;

3.5.4.2 the Data Subject has enforceable rights and effective legal remedies;

3.5.4.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations) and;

3.5.4.4 the Supplier complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.

3.5.5 at the written direction of the Controller, delete or return the Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data. If the Supplier is asked to delete the Personal Data the Supplier shall provide the Controller with evidence that the Personal Data has been securely deleted in accordance with the Data Protection Legislation within a period agreed within the written direction of the Controller.

3.6 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to, as appropriate:

3.6.1 the pseudonymisation and encryption of Personal Data;

3.6.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3.6.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

3.6.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

3.7 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Supplier must:

3.7.1 notify the Controller in writing of the intended Sub-processor and processing;

3.7.2 obtain the written consent of the Controller;

3.7.3 enter into a written agreement with the Sub-processor which gives effect to the terms set out in this Agreement such that they apply to the Sub-processor and in respect of which the Controller is given the benefits of third-party rights to enforce the same; and

3.7.4 provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.

3.8 The Supplier shall ensure that the third party’s access to the Personal Data terminates automatically on termination of this Agreement for any reason save that the Sub-processor may access the Personal Data in order to securely destroy it.

3.9 The Supplier shall remain fully liable for all acts or omissions of any Sub-processor.

3.10 Subject to clause 3.13, the Supplier shall notify the Controller immediately if it:

3.10.1 receives a Data Subject Access Request (or purported Data Subject Access Request) connected with Personal Data processed under this Agreement;

3.10.2 receives a request to rectify, block or erase any Personal Data connected with Personal Data processed under this Agreement;

3.10.3 receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation connected with Personal Data processed under this Agreement;

3.10.4 receives any communication from the Information Commissioner or any other Supervisory or Regulatory Body connected with Personal Data processed under this Agreement;

3.10.5 receives a request from any third party for disclosure of Personal Data connected with this Agreement; or

3.10.6 becomes aware an actual or suspected Data Loss Event.

3.11 This notification shall be given by emailing the original request and any subsequent communications to {INSERT THE DATA CONTROLLER ORGANISATION’S CONTACT DETAILS}

3.12 The Supplier shall not respond substantively to the communications listed at clause 3.10 save that it may respond to a Regulatory or Supervisory Body following prior consultation with the Controller.

3.13 The Supplier’s obligation to notify under clause 3.10 shall include the prompt provision of further information to the Controller in phases, as details become available.

3.14 Taking into account the nature of the processing, the Supplier shall provide the Controller with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.10 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing:

3.14.1 the Controller with full details and copies of the complaint, communication or request;

3.14.2 such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;

3.14.3 such assistance as is reasonably requested by the Controller to enable the Controller to comply with other rights granted to individuals by the Data Protection Legislation including the right of rectification, the right to erasure, the right to object to processing, the right to restrict processing, the right to data portability and the right not to be subject to an automated individual decision (including profiling);

3.14.4 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject;

3.14.5 assistance as requested by the Controller following any Data Loss Event;

3.14.6 assistance as requested by the Controller in relation to informing a Data Subject about any Data Loss Event, including communication with the Data Subject;

3.14.7 assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner’s Office;

3.14.8 the Controller with any copies of requests from Data Subjects seeking to exercise their rights under the Data Protection Legislation. Such requests must be sent, to {INSERT CONTACT MECHANISM} immediately, and in no longer than one Working Day of receipt by the Supplier.

3.15 The Supplier shall allow for audits of its delivery of the Data Processing Services by the Controller or their designated auditor.

3.16 The Supplier shall provide the Controller with evidence to demonstrate compliance with all of its obligations under this Agreement and the relevant Data Protection Legislation.

3.17 The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation, and shall communicate to the Controller the name and contact details of any Data Protection Officer.

3.18 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Agreement, the Data Protection Legislation and Data Guidance. The Supplier must create and maintain a record of all categories of data processing activities carried out under this Agreement, containing:

3.18.1 the categories of processing carried out under this Agreement;

3.18.2 where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where relevant, the documentation of suitable safeguards;

3.18.3 a general description of the Protective Measures taken to ensure the security and integrity of the Personal Data processed under this Agreement; and

3.18.4 a log recording the processing of Personal Data in connection with this Agreement comprising, as a minimum, details of the Personal Data concerned, how the Personal Data was processed, where the Personal Data was processed and the identity of any individual carrying out the processing.

3.19 The Supplier shall ensure that the record of processing maintained in accordance with clause 3.18 is provided to the Controller within two Working Days of a written request from the Controller.

3.20 This Agreement does not relieve the Supplier from any obligations conferred upon it by the Data Protection Legislation.

3.21 The Parties agree to take account of any guidance issued by the Information Commissioner. the Controller may on not less than 30 Working Days’ notice to the Supplier amend this Data Processing Agreement to ensure that it complies with any guidance issued by the Information Commissioner.

3.22 the Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by adding to it any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).

3.23 The Supplier warrants and undertakes that it will deliver the Data Processing Services in accordance with all Data Protection Legislation, any Data Guidance and this Agreement and in particular that it has in place Protective Measures that are sufficient to ensure that the delivery of the Data Processing Services complies with the Data Protection Legislation and ensures that the rights of Data Subjects are protected. The Supplier shall not do or omit to do anything that will put the Controller in breach of the Data Protection Legislation or the Data Guidance. The Supplier shall, at all times during and after the expiry of this Agreement, indemnify the Controller and keep the Controller indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Controller arising from any breach of the Supplier’s obligations under this clause.

3.24 The Supplier must assist the Controller in ensuring compliance with the obligations set out at Article 32 to 36 of the GDPR and equivalent provisions implemented into Law, taking into account the nature of processing and the information available to the Supplier.

3.25 The Supplier must take prompt and proper remedial action regarding any Data Loss Event.

3.26 The Supplier must assist the Controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of their obligation to respond to requests for exercising rights granted to individuals by the Data Protection Legislation.

4. TERM AND TERMINATION

4.1 This Agreement shall commence on the Commencement Date. Unless terminated in accordance with this clause, this Agreement shall automatically terminate on termination or expiry of the Supply Agreement.

4.2 Without affecting any other right or remedy available to it, the Controller may immediately terminate this Agreement by notice in writing to the Supplier if the Supplier commits a material breach of any provision of this Agreement or the Supplier repeatedly breaches any of the provisions of this Agreement.

4.3 If the Controller terminates this Agreement pursuant to the foregoing clause this shall be deemed an irremediable material breach of the Supply Agreement and the Controller shall be entitled (without affecting any other right or remedy available to it) to immediately terminate the Supply Agreement for the Supplier’s irremediable breach of the Supply Agreement without incurring any liability to the Supplier.

4.4 On termination of this Agreement:

4.4.1 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination, shall not be affected;

4.4.2 the provisions of this Agreement which place obligations on the Supplier in respect of the processing of Personal Data shall continue in force and effect until such time as all Personal Data (including all copies thereof) has either been returned and/or destroyed in accordance with the foregoing sub-clause (unless otherwise strictly required by Law);

4.4.3 without prejudice to the foregoing sub-clause, the provisions of this Agreement that expressly or by implication are intended to come into or continue in force on or after termination of this Agreement shall remain in full force and effect; and

5. REMEDIES AND NO WAIVER

5.1 The Supplier shall indemnify, defend and hold harmless the Controller from and against all and any losses, claims, liabilities, costs, charges, expenses, awards and damages of any kind including any fines and legal and other professional fees and expenses (irrespective of whether they were reasonably foreseeable or avoidable) which it/they may suffer or incur as a result of, or arising out of or in connection with, any breach by the Supplier of any of its obligations in this Agreement. For the avoidance of any doubt, any limitation of liability which applies under the Supply Agreement shall not apply to the Supplier’s liability under the indemnity in this clause (which shall be unlimited).

5.2 The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by Law or in equity.

5.3 A waiver of any right or remedy under this Agreement or by Law or in equity is only effective if given in writing and signed on behalf of the party giving it and any such waiver so given shall not be deemed a waiver of any similar or subsequent breach or default.

5.4 A failure or delay by a party in exercising any right or remedy provided under this Agreement or by Law or in equity shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under this Agreement or by Law or in equity shall prevent or restrict the further exercise of that or any other right or remedy.

6 NOTICES

6.1 Any notice given to a party under or in connection with this Agreement shall be in writing in the English language and shall be sent by email to the relevant address set out below.

the Controller contact email: {INSERT THE DATA CONTROLLER ORGANISATION’S CONTACT DETAILS}

the Supplier contact email: dpo@engagehealth.uk

6.2 Any notice validly given in accordance with the foregoing clause shall be deemed to have been received the following Working Day.

7. GENERAL

7.1 The Supplier shall not assign, transfer, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any or all of its rights and obligations under this Agreement without the prior written consent of the Controller.

7.2 No variation of this Agreement shall be effective unless it is in writing and signed by the parties to this Agreement.

7.3 This Agreement may be executed in any number of counterparts, each of which when executed and delivered shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement. No counterpart shall be effective until each party has executed at least one counterpart.

8. GOVERNING LAW AND JURISDICTION

8.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the Law of England.

8.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims), provided that nothing in this clause shall prevent a party from enforcing any judgement obtained in the court of England and Wales in any other court with jurisdiction over the other party.

THIS AGREEMENT has been entered into on the date stated at the beginning of it.

ANNEX – DATA PROCESSING SERVICES

The Supplier shall comply with any further written instructions with respect to processing by the Controller.

Any such further instructions shall be incorporated into this Annex.

Description	Details
Subject matter of the processing	[This should be a high level, short description of what the processing is about i.e. its subject matter]
Duration of the processing	[Clearly set out the duration of the processing including dates]
Nature and purpose of the processing	[Please be as specific as possible, but make sure that you cover all intended purposes. The nature of the processing means any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc. The purpose might include: employment processing, statutory obligation, recruitment assessment etc]
Type of Personal Data	[Examples here include: name, address, date of birth, NI number, telephone number, pay, images, biometric data etc You should be clear what data is being used for each purpose you have outlined above. You should identify whether you are processing any special categories of personal data or any criminal offence data. The special categories of personal data are very similar to sensitive personal data under the DPA 1998. They are set out at Article 9. The special categories of personal data are: · race · ethnic origin · political opinion · religion or philosophical belief · trade union membership · genetics · biometrics (where used for ID purposes) · health (including mental health) · sex life · sexual orientation Unlike under the DPA 1998 personal data relating to criminal convictions and offences are not included. However, similar extra safeguards apply to criminal offence data, which includes data about criminal allegations, proceedings or convictions that would have been sensitive personal data under DPA 1998 and also personal data linked to related security measures. You should identify if you are processing this type of data and if so seek further advice from england.ig-corporate@nhs.net before the data is processed.
Categories of Data Subject	[Examples include: Staff (including volunteers, agents, and temporary workers), customers/ clients, suppliers, patients, students / pupils, members of the public, users of a particular website etc]

Signatories

This agreement must be approved and signed by the Controller’s Senior Information Risk Owners (SIRO) or equivalent.

Signed for and on behalf of the Controller:
	Signature of SIRO
	Name of SIRO (PRINT)
	Date

Signed for and on behalf of the Supplier
	Signature of Director
	Name of Director (PRINT)
	Date